LemonLDAP::NG is a modular WebSSO (Single Sign On) based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the application.
It manages both authentication and authorization and provides headers for accounting. So you can have a full <abbrtitle="Authentication Authorization Accounting">AAA</abbr> protection for your web space as described below.
<liclass="level1"><divclass="li"><strong>Manager</strong>: used to manage LemonLDAP::NG configuration and to explore sessions. Dedicated to administrators</div>
<liclass="level1"><divclass="li"><strong><ahref="../documentation/1.0/portal.html"class="wikilink1"title="documentation:1.0:portal">Portal</a></strong>: used to authenticate users, display applications list and provides identity provider service (<ahref="http://en.wikipedia.org/wiki/SAML"class="urlextern"title="http://en.wikipedia.org/wiki/SAML"rel="nofollow">SAML</a>, <ahref="http://en.wikipedia.org/wiki/OpenID"class="urlextern"title="http://en.wikipedia.org/wiki/OpenID"rel="nofollow">OpenID</a>, <ahref="http://en.wikipedia.org/wiki/Central_Authentication_Service"class="urlextern"title="http://en.wikipedia.org/wiki/Central_Authentication_Service"rel="nofollow">CAS</a>). Portal provides also many other features (see <ahref="../documentation/1.0/portal.html"class="wikilink1"title="documentation:1.0:portal">portal</a> for more)</div>
Main <ahref="../documentation/current/start.html#authentication_users_and_password_databases"class="wikilink1"title="documentation:latest:start">external databases</a> are:
<liclass="level1"><divclass="li"><strong><ahref="../documentation/current/start.html#configuration_database"class="wikilink1"title="documentation:latest:start">Configuration</a></strong>: where configuration is stored. This does not include Apache configuration which is not managed by LemonLDAP::NG</div>
<liclass="level1"><divclass="li"><strong><ahref="../documentation/current/start.html#sessions_database"class="wikilink1"title="documentation:latest:start">Sessions</a></strong>: where sessions are stored.</div>
<liclass="level1"><divclass="li"><ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> is not detected, so Handler redirects user to Portal</div>
<liclass="level1"><divclass="li"> Portal creates <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> with session key as value</div>
Handler will then check <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> for each HTTP request.
<liclass="level1"><divclass="li"> Portal destroys session and redirects user on itself with an empty <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a></div>
<liclass="level1"><divclass="li"> User is redirected on portal and his <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> is empty</div>
LemonLDAP::NG is also able to <ahref="../documentation/current/writingrulesand_headers.html"class="wikilink1"title="documentation:latest:writingrulesand_headers">catch logout request</a> on protected applications, with different behavior:
<liclass="level1"><divclass="li"><strong><abbrtitle="Single Sign On">SSO</abbr> logout</strong>: the request is not forwarded to application, only the <abbrtitle="Single Sign On">SSO</abbr> session is closed</div>
<liclass="level1"><divclass="li"><strong>Application logout</strong>: the request is forwarded to application but <abbrtitle="Single Sign On">SSO</abbr> session is not closed</div>
<liclass="level1"><divclass="li"><strong><abbrtitle="Single Sign On">SSO</abbr> and Application logout</strong>: the request is forwarded to application and <abbrtitle="Single Sign On">SSO</abbr> session is closed</div>
<liclass="level1"><divclass="li"> Handlers have a session cache, with a default lifetime of 10 minutes. So for Handler on different physical servers than the Portal, a user with an expired session can still be authorized still the cache expires.</div>
</li>
<liclass="level1"><divclass="li"> Sessions are deleted by a scheduled task. Don't forget to install cron files !</div>
<p><divclass="noteclassic">For security reason, a cookie provided for a domain cannot be sent to another domain. To extend <abbrtitle="Single Sign On">SSO</abbr> on several domains, a cross-domain mechanism is implemented in LemonLDAP::NG.
<liclass="level1"><divclass="li"> User owns <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> on the main domain (see <spanclass="curid"><ahref="../documentation/presentation.html#login"class="wikilink1"title="documentation:presentation">Login kinematics</a></span>)</div>
<liclass="level1"><divclass="li"> Handler does not see <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> (because it is not in main domain) and redirects user on Portal</div>
<liclass="level1"><divclass="li"> Portal recognizes the user with its <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a>, and see he is coming from a different domain</div>
<liclass="level1"><divclass="li"> Portal redirects user on protected application with his session ID as <abbrtitle="Uniform Resource Locator">URL</abbr> parameter</div>
<liclass="level1"><divclass="li"> Handler detects <abbrtitle="Uniform Resource Locator">URL</abbr> parameter and create a <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> on its domain, with session ID as value</div>
<liclass="level1"><divclass="li"><strong>Control asked <abbrtitle="Uniform Resource Locator">URL</abbr></strong>: prevent <abbrtitle="Cross Site Scripting">XSS</abbr> attacks and bad redirections</div>
<liclass="level1"><divclass="li"><strong>Extract form info</strong>: get login/password, certificate, environment variable (depending on authentication module)</div>
LemonLDAP::NG <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> are generated by <ahref="http://search.cpan.org/perldoc?Apache::Session"class="urlextern"title="http://search.cpan.org/perldoc?Apache::Session"rel="nofollow">Apache::Session</a>, they are as secure as a 128-bit random cookie. You may use the <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">securedCookie</a> options to avoid session hijacking. (since version 1.4.0 you can use SHA256 for generating safer cookies)
<p><divclass="noteclassic">Authorizations are defined inside a virtualhost and takes effect only on it. There are no <em>global</em> authorizations except the right to open a session in the portal.
See <ahref="../documentation/current/writingrulesand_headers.html"class="wikilink1"title="documentation:latest:writingrulesand_headers">Writing rules and headers</a> chapter.
Portal produce a <code>notice</code> message in <ahref="../documentation/current/logs.html"class="wikilink1"title="documentation:latest:logs">Apache logs or syslog</a> when a user authenticates (or fails to authenticate) and logs out.
LemonLDAP::NG can export <ahref="../documentation/current/writingrulesand_headers.html#headers"class="wikilink1"title="documentation:latest:writingrulesand_headers">HTTP headers</a> either using a proxy or protecting directly the application.
See <ahref="../documentation/current/writingrulesand_headers.html"class="wikilink1"title="documentation:latest:writingrulesand_headers">Writing rules and headers</a> for more.